Cannot restore a user account from AD recycle bin

Question

I have an issue when a particular user account when restoring it from AD recycle bin. Other accounts are restored without any issues. The issue is when to restore the account with powershell:

PS C:\Windows\system32> Get-AdObject -Filter {SamAccountName -eq 'username'} -IncludeDeletedObjects | Restore-AdObject Restore-AdObject : An attempt was made to modify an object to include an attribute that is not legal for its class

At line:1 char:79 + ... AccountName -eq 'username'} -IncludeDeletedObjects | Restore-AdObject + ~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (CN=User Name,DC=domain,DC=com:ADObject) [Restore-ADObject], ADExc eption + FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.RestoreADObject

and when using ldp.exe:

***Call Modify...

ldap_modify_ext_s(ld, 'CN=User Name\0ADEL:5c058da7-f575-45bc-a676-27e764cbb4bc,CN=Deleted Objects,DC=domain,DC=com',[2] attrs, SvrCtrls, ClntCtrls);

Error: Modify: Object Class Violation. <65>

Server error: 0000207D: UpdErr: DSID-03151BA4, problem 6002 (OBJ_CLASS_VIOLATION), data 592153

Error 0x207D An attempt was made to modify an object to include an attribute that is not legal for its class.

schema not changed. Maybe somebody can help me with that issue

Answer 1

Thank you for the answer. There are no any custom attributes in the schema. Anyway, a similar user with the same set of attributes is restored successfully. Unfortunately, I cannot find the way to find which attribute is the source of the problem because of there are no diagnostics information about it. Maybe, one of the attributes contains wrong value but how to find it I don't know.

Answer 2

Hello gonevgen,

Thank you for your reply.

It seems no matter which method you try to restore this AD user, you will receive the same error. The final way I think is, you can recreate the same user account instead of restoring it from recycle bin.

Best Regards,
Daisy Zhou

Answer 3

According to Restore deleted AD user! : r/activedirectory (reddit.com)

"We figured that we had to modify schema attribute. We followed this TechNet Article. Using Schema MMC snap in, obtained new OIDs for the attribute

https://social.technet.microsoft.com/wiki/contents/articles/51121.active-directory-schema-update-and-custom-attribute.aspx

Ran this Repadmin cmd to get more details about deleted objects

repadmin /showobjmeta DCNAME "distinguished name of the deleted object"

This command showed us some attributes that are supposed to their for the object, but were not present when we were trying to restore user from LDAP.exe

Once we added these coxxxxx14Code class attribute that was missing through schema MMC. This time we were able to restore the object from AD recycle bin.

We also checked the user is back with all the data in ADUC.

Cheers!!!!"

Answer 4

Hello gonevgen,

Thank you for posting in Microsoft Community forum.

From the information above, I can see the error message "An attempt was made to modify an object to include an attribute that is not legal for its class" when you restored this user object via PS command and the error message "An attempt was made to modify an object to include an attribute that is not legal for its class" when you restored user object via ldp.exe tool.

It seems you cannot restore this user object because there is a "not legal" attribute on this user object.
Also, you can try to restore it from ADAC\domain\Deleted Objects\we can find the objects we deleted in it.


Because we can only restore some attributes: such as objectGUID, objectSID, distinguishedName, nTSecurityDescriptor, USNChanged. Maybe you need to make changes on schema.
Here is a similar thread with a resolution for your reference.

Restore deleted AD user! : r/activedirectory (reddit.com)

Active Directory: Schema Update and Custom Attribute - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou